rm -rf /blackhat

Through a series of strange decisions I found myself on the way to Las Vegas over the same week of Black Hat, however, without a ticket to the Black Hat Briefings. This didn’t phase me in the slightest as I attended Black Hat last year and to be quite frank, I wasn’t impressed. This did raise an interesting question though: if I’m not wasting my time at Black Hat, what could I be doing?

This question was easily answered as just about every person I look up to in the InfoSec industry was heading to one place…BSides LV at the Tuscany Hotel. I’d never attended a BSides conference before and had no idea what to expect. How much are the tickets? How long are the queues for the talks? How much is the food and drinks? It turns out the answer is pretty much nothing to all of the above.

What I want to take away from an InfoSec conference is to have learned something, meet some interesting people, help other people who may have questions and generally have a good time doing it. Walking into BSides on Tuesday morning, I was warmly greeted and given a badge and a smile. That’s it. No spammy email address, no dollars, just a badge. Walking around BSides I saw that there is an abundance of tracks, workshops and a large chill out area with free drinks (as in beer), raffles and competitions.

I spent the large majority of the con on the red team for the “Joes vs Pros CTF” competition, which gives defensive security and network engineers a chance to feel the heat of a red team bashing the hell out of their network. Uptime is important for points and there is a gold team sending the blue team’s help desk requests, which need to be actioned whilst frantically trying to secure their network and kill our shells.

After competition closed on Tuesday, I had a chat with the winning blue team who did a really good job of locking us out whilst maintaining uptime on critical services. These guys got pummelled last year and came away with new skills and ideas that they implemented this year. A few of the members shared appreciation that they had learned more from competing in Joes vs Pros for a single day than they had from attending years of college and certifications. They mentioned that dealing with an active attack where they are forced to keep vulnerable software up and running taught them to look farther than just simple patching exercises. The creativity that they came up with was astounding – from setting up spoofed sites that had no back-end connected to it, to serving us honeypots and ban-hammering us on their firewalls.

The following day, the blues got their own red team members and needed to engage their opposing blue team. With a red team member assisting them with exploitation of the target machines, which were compromised the day before, the blues got to experience the attack from the red team’s point of view and learned how targets are enumerated as well as what weaknesses are exploited in the discovered applications. This information was then used to modify their own applications to make exploitation by the opposing team much more difficult or even impossible.

What I took away from this experience is that these blue team members are getting valuable training, whilst having a good time, essentially for the price of getting to Las Vegas. BSides volunteers make the con what it is and sponsor donations go towards the cost of setting up the competitions or providing prizes and drinks.

I learned a lot about BSides over my two days there. I attended some good talks, snuck into a workshop where attendees were taught to build a RFID reader that works from 4 feet away with only $35 of hardware, met some awesome people and had a great time doing it all.

All this made me really REALLY angry.

Even though there was good work being done and great knowledge being shared at the Tuscany Hotel, several blocks away the worlds largest “security” conference was being held and doing a fine job at advancing just about everything that is wrong with this industry.

Since starting work as a Penetration Tester, I’ve noticed one very big problem within the Information Security realm. By far, the biggest problem that currently exists in Infosec is that people still believe that they can “buy” security. Right out of the gate I will tell you “this is bullshit!” You cannot buy anything from any vendor that will stop your company getting compromised. Buzzwords like Next-Gen, Multi-Tiered, Smart and APT are just marketing turd-speak for devices that basically do nothing. And Black Hat is the single biggest culprit of promoting the use of these “magic bullets.”

After you’ve cleared away all the fluff around Black Hat, what you’re left with is a room full of “magic bullets” being shown off by booth babes and a bunch of “researchers” giving presentations to massive audiences about why they should buy them. To make matters worse, the amount of money spent on these devices each year is astronomical – yet more and more companies are getting compromised every day, now more than ever before.

I borrowed a ticket to visit the vendor-fest on Thursday for a couple of hours to see what, if anything, was better about this year than last. After all, 8000 people can’t be wrong, right? After looking at the briefings and seeing that there was hardly anything of value worth watching, I wandered over to the the vendor area. I ended up speaking to a golf shirt about his “magical DLP machine” which uses sophisticated algorithms and cutting edge buzzwords to hunt down people leaking trade secrets and PII. I asked him if the machine would catch someone exfiltrating credit card numbers and the response was a resounding “Oh definitely!” When asked what the machine would do if someone base64’d this same information first, he ran off to find someone with a brain. I then spoke to one of the “magical DLP machine” developers who told me that the CPU cycles taken to decrypt the traffic would be too much for such high throughput and base64 traffic would not be decoded before checking the contents.

Then I see the big one…a box that can detect 0-day malware. Oh wow. Problem solved. These guys have cracked the code. They have made a device smarter than all the Russians, Ukrainians and Belize malware-devs combined. Or have they? I challenge you. Deploy that thing in a public network and offer $1 million dollars to the person who deploys malware on the same network which the “magical DLP machine” cannot detect.

Vendor after vendor pitched me their next-gen, cutting edge, complex algorithm, layer-7 flashy box and each and every time, I could outwit their machines in under 5 minutes. Again, if you didn’t read it earlier…”YOU CAN’T BUY SECURITY!” Walking into Black Hat and throwing money at everything with a flashing light and a web console is not going to make you or your company more secure. Even if you bought each and every single device and had them professionally installed with maximum protections enabled, any pentester worth their salt could still compromise your network with a smile or a cleverly worded email. And that is the main reason why all these products do not work.

Chris Nickerson put it best. “You say your device can do this? Prove it! You say your company is secure? Prove it! You say the bad guys can’t get your customer data? Prove it!” If for one second you actually believe the hype regurgitated out by these pretty boys with their sunglasses and golf shirts who market some box that protects against everything, then you have already lost. If it could genuinely solve all your information security problems as soon as you plug it in, they could genuinely sell it for a bazillion dollars and you would gladly buy it.

But the reality is that you’re actually buying nothing. You’re buying a marketing pitch. Maybe you’re buying a few nights of peaceful sleep. Maybe you’re buying a bigger budget next year. Maybe you’re buying an alliance with some vendor. But you are not buying security and the vendors cannot prove that their solutions do anything to stop a determined attacker. All they can do is show you that in a perfect simulated test environment, it does something. Would it work in your environment? Maybe. Will it make you more secure? Probably not. Does the machine do all the things it says on the tin? Doubtful.

I’m not saying that there is no value in Black Hat. I’m saying there is no value in purchasing a $1500 ticket to attend a convention where you are encouraged to purchase more things. If you are in the security industry and attend Black Hat to network with clients, great. You could probably do that for free at one of the million parties held after hours. Just avoid all the golf-shirt, booth-boys running around with their sunglasses on at night calling themselves hackers because they work for a company whose product can detect SQLi vulnerabilities. “Shut up, you’re a sales monkey!” There are also some good talks at the briefings. Black Hat is not without any interesting material but from an attacker’s point of view, I find the content of Black Hat weak and lacking in this area compared to BSides.

If you are the principal or manager of a pentest team, please, don’t send your testers to Black Hat, allow them to attend BSides instead where they can actually learn, meet, teach and have fun.

P.S. All of the above is my opinion, which I’m entitled to. However, if you managed to read this far and wish to bitch at me for saying what I did, use the comment feature below and I’ll make every effort to respond if required.

7 Responses to rm -rf /blackhat

I think you’re looking at it all wrong. It’s fun to fence with the vendors — I like to walk the vendor floor because I know I’ll be seeing all of these products in the near future. The sooner I see them and start thinking about what I’m going to do, the better I am. Snake oil doesn’t “work”, per se’, but it does force you to respond to it. So any pen-tester should allocate some time to staying up on what’s out there.

I do disagree about your characterization of the talks. I really don’t see anywhere near a majority of the talks pushing products or trying to get someone to buy something. Some are more about recognition, but at least they have to present something to get it.

If you want to see a real manifestation of how you characterize Black Hat, go attend RSA once, and then let’s see how you feel.

Valid points mate. I understand your points about getting the inside info on your future nemesis and I agree that knowing up front is better. Where I have the problem is that the Global Fortune companies I deal with are all to happy to walk away from Black Hat with a million dollar hole in their pocket from buying ‘snake oil’ but then don’t have $10k for a simple pentest to see if it actually works. I find it’s largely because they’re coerced into believing it works when in truth they don’t actually know UNLESS they have it tested.

Case in point, last year a client of mine dropped several million on securing thousands of their iPad’s with the industry leading iOS securing platform. My team and I tested it after seeing it at last years BH and the application didn’t actually perform the encryption wrapping on the traffic that they said it did, purely clear text. What’s worse, the lock-down feature had a fail-open if you just mashed the “OK” message enough times, you had access to any setting on the device. We were fortunate to uncover this for them in the limited budget they had left after expenses such as these.

My view of Defcon decreases year by year. I find the quality of talks diminishing and the douche-baggery of Goons steadily increasing. This year was the worst by far as far as the Goons go. The level of shit I saw them giving ppl as well their general attitude makes me sick. If they were out and about they would never treat people that way.

That said, I still find Defcon a good social event as many Infosec professionals attend and it’s great to catch up with internet mates. But as an Australian footing a $4500 bill to get there, it’s not worth it without quality talks.